Upload
gabriel-todd
View
224
Download
7
Tags:
Embed Size (px)
Citation preview
Veraz Networks Proprietary and Confidential
1* Veraz proprietary information notice: This document and the contents therein are the property of Veraz Networks Inc. Any duplication, reproduction, or transmission to unauthorized parties without prior written permission of Veraz Networks Inc. is prohibited. The recipient of this document, by its retention and use, agrees to protect the information contained herein from loss, theft, or transfer to third parties.
Security -The Big Challenge of IP Telephony
February 2003
Yaron Oppenheim
Director – Product Marketing
Veraz Networks Proprietary and Confidential
3
Agenda
The Problem Why is it critical ? It should be protected & it can be protected Vulnerability points Security strategy and measures
MG Control Switch Control protocol - MGCP Inter Control Switch communication The voice itself Management activity
Veraz Networks Proprietary and Confidential
4
Mexico CityMexico City
Hong KongHong Kong
BeijingBeijing
FrankfurtFrankfurt
IsraelIsrael
SingaporeSingapore
LondonLondon
ParisParis
SydneySydney
FortFortLauderdaleLauderdale
IndiaIndiaVirginiaVirginia
RussiaRussia
TurkeyTurkey
South South AfricaAfrica
KoreaKorea
MalaysiaMalaysia
TaiwanTaiwan
SpainSpainJapanJapan
FinlandFinland
MoroccoMorocco
ArgentinaArgentina
BrazilBrazil
ChileChile PhilippinesPhilippines
Mexico CityMexico City
Hong KongHong Kong
BeijingBeijing
FrankfurtFrankfurt
IsraelIsrael
SingaporeSingapore
LondonLondon
ParisParis
SydneySydney
FortFortLauderdaleLauderdale
IndiaIndiaVirginiaVirginia
RussiaRussia
TurkeyTurkey
South South AfricaAfrica
KoreaKorea
MalaysiaMalaysia
TaiwanTaiwan
SpainSpainJapanJapan
FinlandFinland
MoroccoMorocco
ArgentinaArgentina
BrazilBrazil
ChileChile PhilippinesPhilippines
Veraz – An introduction
Veraz is a privately held company formed by the merger of ECI-NGTS and Nexverse Networks
Global provider of end-to-end, carrier-grade Packet Telephony solutions Best-in-Class Integrated Solution Open, Best-of-Breed Softswitch & Media Gateway platforms Driving some of the largest softswitch-based VoIP deployments in the market
Market leader for carrier-class Digital Compression Multiplexing Equipment (DCME) Over $2B installed base Over 700 carrier customers in 140 countries Current & on-going revenue stream
Global Presence and Track Record 20 years of experience in delivering solutions
to carriers worldwide 100% ownership of advanced DSP technology Global sales & support infrastructure
Veraz Networks Proprietary and Confidential
5
The Problem
Attacks on the Internet 38% of the organization’s Web sites suffered unauthorized
access or misuse within the last 12 months Government Web site – thousands of attacks per day
Fraud on the Internet The main obstacle to e-commerce
Money that is lost Money that is invested in securing IT installations
Growing segment in a recessionary period Is IP Telephony much different ?
Veraz Networks Proprietary and Confidential
6
ControlSwitch
MGCP
MGCP
Enterprise
PBXIAD
SIP Proxy/FeatureServer
SIP
MGCP
SIP
FeatureServer
FeatureServer
SIP/H.323/XML/JCC
PSTN
SS7/SCP/STP
H.323
H.323Gateway
H.323Gatekeeper
H.323
IAD
WirelessPSTN
(MSCs)
SS7/SCP/STP/
HLR
Residence/Branch/SMB
MGCPSIP
SIP
SS7 ISUP/TCAP
IS-41
ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP
SIP/H.323/XML/JCC
3GMobile
PDA
IP/ATM Network
SIPDevices
Enterprise
IP Telephony network
I-Gate 4000
I-Gate 4000
Veraz Networks Proprietary and Confidential
7
Potential Threats to Network Security
Intranet and Internet Most of the intruders – from within the organization
Internal threats Disgruntled employees Social engineering Former employees
External threats Hackers Hacking by mistake
Veraz Networks Proprietary and Confidential
8
Unauthorized access Denial of Service - DOS Eavesdropping Masquerade Modification of information
Content modification Sending the information at another time
Information theft
Typical Security Attacks
Veraz Networks Proprietary and Confidential
9
Why is it critical ?
Because : A lot of money can be lost The image of the company
is a high priority
Veraz Networks Proprietary and Confidential
10
It should be protected& it can be protected
IP Telephony will not be widely deployed without a reasonable security solution !
Veraz Networks Proprietary and Confidential
11
Security – you have to protect 360o
The hacker needs only one vulnerability point.
ControlSwitch
MGCP
MGCP
Enterprise
PBXIAD
SIP Proxy/FeatureServer
SIP
MGCP
SIP
FeatureServer
FeatureServer SIP/H.323/
XML/JCC
PSTN
SS7/SCP/STP
H.323
H.323Gateway
H.323Gatekeeper
H.323
IAD
WirelessPSTN
(MSCs)
SS7/SCP/STP/
HLR
Residence/Branch/SMB
MGCPSIP SIP
SS7 ISUP/TCAP
IS-41
ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP
SIP/H.323/XML/JCC
3GMobile
PDA
IP/ATM Network
SIPDevices
Enterprise
I-Gate 4000
I-Gate 4000
Veraz Networks Proprietary and Confidential
12
Vulnerability points
CCP/SG
VerazViewCDR
EC
RE
I-Gate 4000 Pro
I-Gate 4000
I-Gate 4000
IP Network
Internet/IntranetInternet/Intranet
MGCP
CMI
SNMP
HTTP
RTP
CMI
Veraz Networks Proprietary and Confidential
13
You have to protect them all
Call Control Element (CCE) Signaling Gateway (SG) Routing engine (RE) Event Collector (EC) CDR Manager Management Media Gateway (I-Gare 4000/PRO) Management System (VerazView) Links between elements
Veraz Networks Proprietary and Confidential
14
Defense strategy
Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only
The Management System should be highly secured ALL the information traveling from NE to NE (and from the MS
to NE) should be encrypted and authenticated.
Veraz Networks Proprietary and Confidential
15
The only way to access the Media Gateway is by using the management system. Blocking unnecessary protocols
HTTP, Telnet, etc…
Protecting the MG from unauthorized access Firewall functionality
Predefined list of IP's Predefined protocols Application (MGCP) aware
Location of the Firewall
MG security
I-Gate 4000 Pro
I-Gate 4000
IP Network
Veraz Networks Proprietary and Confidential
16
Control Switch elements
Unix-based elements
SG EMS CDRECRE
Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only Block unnecessary protocols Access control Firewall
CCP
Veraz Networks Proprietary and Confidential
17
MGCP, H.248
IPSEC – the de facto standard – Provides protection (encryption & authentication) to each IP packet
Authentication, Integrity, Confidentiality IPSEC – Authentication Header (AH) IPSEC – Encapsulation
Security Payload (ESP)
IKE – Internet Key Exchange (RFC 2409) Session Key Long-term key
MG – Call Control Platform channel
CCP/SG
VerazViewCDR
EC
RE
I-Gate 4000 Pro
I-Gate 4000
IP Network
Internet/IntranetInternet/Intranet
MGCP
I-Gate 4000
Veraz Networks Proprietary and Confidential
18
IPsec implementation
External Boxes Check Point Symantec Cisco
Embedded Implementation Pros & cons
Vulnerability Cost Management
Veraz Networks Proprietary and Confidential
19
Control Switch elements comm.
CMI communication CCP - EC CCP - SG CCP - RE EC - CDR manager
CCP/SG
EMSCDR
EC
RE
I-Gate 4000 Pro
I-Gate 4000
IP Network
Internet/IntranetInternet/Intranet
Veraz Networks Proprietary and Confidential
20
Voice - RTP
IP Network
SRTPIPsec
Veraz Networks Proprietary and Confidential
21
Management System Security
The Management System is the gate to the system…
Veraz Networks Proprietary and Confidential
22
MS Architecture
Management System Server Management server Database server Hi-Availability
WBM Client Operating System
independent Web browser Graphical User Interface Does not require installation
WAN
PC with Web Browser
(Client)
PC with Web Browser
(Client)
PC withWeb Browser
(Client)
VerazView Server
I-Gate4000
I-Gate4000 Control Switch
elements
Veraz Networks Proprietary and Confidential
23
Vulnerability Points
Management System – Network Elements channel Eavesdropping Information Theft
MS Server Intrusion D.O.S. Masquerade Modification of Information
MS WBM client and connection Eavesdropping Intrusion Information Theft
Vulnerability at one of the VoIP elements can harm the entire IP Telephony network
---
Internet/Intranet
SGSG
IP Network
Internet/Intranet
I-Gate 4000
Control SWIP Network
Mgmt. SystemServer - VerazView
Mgmt. System WBM client
Veraz Networks Proprietary and Confidential
24
Access Control
User ID and Password – much more than that ! Validity of user IDs Password generation Password validity rules
Length Structure Time to Live Password History
Forced passwordchange
Prevent repetitive intrusion attempts
Inform the user of the previous login time User’s access levels Etc. etc…
Veraz Networks Proprietary and Confidential
25
Security Administrator
Who are the active users ? Force Logout Suspend
What are the users doing ?
Veraz Networks Proprietary and Confidential
26
Web-Based Management
All you need is a Web browser OS independent HW independent Can be shared
with other applications
Low bandwidth WBM – Openness
and Vulnerability
---
Management System
VerazView
Management SystemManagement System
VerazView
Internet/Intranet
SGSG
IP Network
Internet/Intranet
I-Gate 4000
Control SWIP Network
Mgmt. SystemServer - VerazView
Mgmt. System WBM client
Veraz Networks Proprietary and Confidential
27
WBM Encryption
SSL – Secured Socket Layer Provides encryption, authentication
& integrity of data stream. Encryption of the Management
Information SSL is the most popular method to
secure Internet transport Used by Web browsers and servers The protocol that incorporates SSL
and HTTP is HTTPS Powerful encryption method
Internet/IntranetInternet/Intranet Internet/
IntranetIP Telephony
network
SSL
Veraz Networks Proprietary and Confidential
28
Separating Internet Server from MS
To secure the IP Network from hackers: Internet Server separated from the MS Server MS Internet Server located in demilitarized zone (DMZ)
MG
WBM
Mgmt
ServerInternet Server
IPNETWORK
SecuredProtocol
TheInternet
MediaGateway
Protection from hackers: Secured Protocol Firewall
Control SW
Control SW
Veraz Networks Proprietary and Confidential
29
Disaster Recovery
MS Servers at two remote locations
RAID Array Disk
No single point offailure
Alternate Location
Web Client
Main Location
Main Location
Questions?